#!/usr/bin/env bash
set -euo pipefail

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward >/dev/null

DEV=$(ip route show default | awk '/default/ {print $5; exit}')
if [ -z "$DEV" ]; then
  echo "Could not detect default egress interface" >&2
  exit 1
fi

echo "[*] Enabling MASQUERADE via $DEV for 10.0.0.0/24 ..."
sudo iptables -t nat -C POSTROUTING -s 10.0.0.0/24 -o "$DEV" -j MASQUERADE 2>/dev/null \
  || sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o "$DEV" -j MASQUERADE

echo "[✓] NAT enabled. lwIP can now reach the internet via host."
